| < draft-tschofenig-rats-psa-token-05.txt | draft-tschofenig-rats-psa-token-06.txt > | |||
|---|---|---|---|---|
| RATS H. Tschofenig | RATS H. Tschofenig | |||
| Internet-Draft S. Frost | Internet-Draft S. Frost | |||
| Intended status: Informational M. Brossard | Intended status: Informational M. Brossard | |||
| Expires: 7 September 2020 A. Shaw | Expires: 4 June 2021 A. Shaw | |||
| T. Fossati | T. Fossati | |||
| Arm Limited | Arm Limited | |||
| 6 March 2020 | 1 December 2020 | |||
| Arm's Platform Security Architecture (PSA) Attestation Token | Arm's Platform Security Architecture (PSA) Attestation Token | |||
| draft-tschofenig-rats-psa-token-05 | draft-tschofenig-rats-psa-token-06 | |||
| Abstract | Abstract | |||
| The Platform Security Architecture (PSA) is a family of hardware and | The Platform Security Architecture (PSA) is a family of hardware and | |||
| firmware security specifications, as well as open-source reference | firmware security specifications, as well as open-source reference | |||
| implementations, to help device makers and chip manufacturers build | implementations, to help device makers and chip manufacturers build | |||
| best-practice security into products. Devices that are PSA compliant | best-practice security into products. Devices that are PSA compliant | |||
| are able to produce attestation tokens as described in this memo, | are able to produce attestation tokens as described in this memo, | |||
| which are the basis for a number of different protocols, including | which are the basis for a number of different protocols, including | |||
| secure provisioning and network access control. This document | secure provisioning and network access control. This document | |||
| skipping to change at page 2, line 4 ¶ | skipping to change at page 2, line 4 ¶ | |||
| Internet-Drafts are working documents of the Internet Engineering | Internet-Drafts are working documents of the Internet Engineering | |||
| Task Force (IETF). Note that other groups may also distribute | Task Force (IETF). Note that other groups may also distribute | |||
| working documents as Internet-Drafts. The list of current Internet- | working documents as Internet-Drafts. The list of current Internet- | |||
| Drafts is at https://datatracker.ietf.org/drafts/current/. | Drafts is at https://datatracker.ietf.org/drafts/current/. | |||
| Internet-Drafts are draft documents valid for a maximum of six months | Internet-Drafts are draft documents valid for a maximum of six months | |||
| and may be updated, replaced, or obsoleted by other documents at any | and may be updated, replaced, or obsoleted by other documents at any | |||
| time. It is inappropriate to use Internet-Drafts as reference | time. It is inappropriate to use Internet-Drafts as reference | |||
| material or to cite them other than as "work in progress." | material or to cite them other than as "work in progress." | |||
| This Internet-Draft will expire on 7 September 2020. | This Internet-Draft will expire on 4 June 2021. | |||
| Copyright Notice | Copyright Notice | |||
| Copyright (c) 2020 IETF Trust and the persons identified as the | Copyright (c) 2020 IETF Trust and the persons identified as the | |||
| document authors. All rights reserved. | document authors. All rights reserved. | |||
| This document is subject to BCP 78 and the IETF Trust's Legal | This document is subject to BCP 78 and the IETF Trust's Legal | |||
| Provisions Relating to IETF Documents (https://trustee.ietf.org/ | Provisions Relating to IETF Documents (https://trustee.ietf.org/ | |||
| license-info) in effect on the date of publication of this document. | license-info) in effect on the date of publication of this document. | |||
| Please review these documents carefully, as they describe your rights | Please review these documents carefully, as they describe your rights | |||
| and restrictions with respect to this document. Code Components | and restrictions with respect to this document. Code Components | |||
| extracted from this document must include Simplified BSD License text | extracted from this document must include Simplified BSD License text | |||
| as described in Section 4.e of the Trust Legal Provisions and are | as described in Section 4.e of the Trust Legal Provisions and are | |||
| provided without warranty as described in the Simplified BSD License. | provided without warranty as described in the Simplified BSD License. | |||
| Table of Contents | Table of Contents | |||
| 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3 | 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3 | |||
| 2. Conventions and Definitions . . . . . . . . . . . . . . . . . 3 | 2. Conventions and Definitions . . . . . . . . . . . . . . . . . 3 | |||
| 2.1. Glossary . . . . . . . . . . . . . . . . . . . . . . . . 3 | 2.1. Glossary . . . . . . . . . . . . . . . . . . . . . . . . 4 | |||
| 3. PSA Claims . . . . . . . . . . . . . . . . . . . . . . . . . 4 | 3. PSA Claims . . . . . . . . . . . . . . . . . . . . . . . . . 4 | |||
| 3.1. Caller Claims . . . . . . . . . . . . . . . . . . . . . . 4 | 3.1. Caller Claims . . . . . . . . . . . . . . . . . . . . . . 4 | |||
| 3.1.1. Auth Challenge . . . . . . . . . . . . . . . . . . . 4 | 3.1.1. Nonce . . . . . . . . . . . . . . . . . . . . . . . . 4 | |||
| 3.1.2. Client ID . . . . . . . . . . . . . . . . . . . . . . 4 | 3.1.2. Client ID . . . . . . . . . . . . . . . . . . . . . . 5 | |||
| 3.2. Target Identification Claims . . . . . . . . . . . . . . 5 | 3.2. Target Identification Claims . . . . . . . . . . . . . . 5 | |||
| 3.2.1. Instance ID . . . . . . . . . . . . . . . . . . . . . 5 | 3.2.1. Instance ID . . . . . . . . . . . . . . . . . . . . . 5 | |||
| 3.2.2. Implementation ID . . . . . . . . . . . . . . . . . . 5 | 3.2.2. Implementation ID . . . . . . . . . . . . . . . . . . 6 | |||
| 3.2.3. Hardware Version . . . . . . . . . . . . . . . . . . 6 | 3.2.3. Certification Reference . . . . . . . . . . . . . . . 6 | |||
| 3.3. Target State Claims . . . . . . . . . . . . . . . . . . . 6 | 3.3. Target State Claims . . . . . . . . . . . . . . . . . . . 6 | |||
| 3.3.1. Security Lifecycle . . . . . . . . . . . . . . . . . 6 | 3.3.1. Security Lifecycle . . . . . . . . . . . . . . . . . 6 | |||
| 3.3.2. Boot Seed . . . . . . . . . . . . . . . . . . . . . . 8 | 3.3.2. Boot Seed . . . . . . . . . . . . . . . . . . . . . . 8 | |||
| 3.4. Software Inventory Claims . . . . . . . . . . . . . . . . 8 | 3.4. Software Inventory Claims . . . . . . . . . . . . . . . . 8 | |||
| 3.4.1. Software Components . . . . . . . . . . . . . . . . . 8 | 3.4.1. Software Components . . . . . . . . . . . . . . . . . 8 | |||
| 3.4.2. No Software Measurements . . . . . . . . . . . . . . 10 | 3.4.2. No Software Measurements . . . . . . . . . . . . . . 10 | |||
| 3.5. Verification Claims . . . . . . . . . . . . . . . . . . . 10 | 3.5. Verification Claims . . . . . . . . . . . . . . . . . . . 11 | |||
| 3.5.1. Verification Service Indicator . . . . . . . . . . . 10 | 3.5.1. Verification Service Indicator . . . . . . . . . . . 11 | |||
| 3.5.2. Profile Definition . . . . . . . . . . . . . . . . . 11 | 3.5.2. Profile Definition . . . . . . . . . . . . . . . . . 11 | |||
| 4. Token Encoding and Signing . . . . . . . . . . . . . . . . . 11 | 4. Token Encoding and Signing . . . . . . . . . . . . . . . . . 11 | |||
| 5. Collated CDDL . . . . . . . . . . . . . . . . . . . . . . . . 11 | 5. Collated CDDL . . . . . . . . . . . . . . . . . . . . . . . . 11 | |||
| 6. Security and Privacy Considerations . . . . . . . . . . . . . 14 | 6. Security and Privacy Considerations . . . . . . . . . . . . . 14 | |||
| 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 14 | 7. Verification . . . . . . . . . . . . . . . . . . . . . . . . 15 | |||
| 8. References . . . . . . . . . . . . . . . . . . . . . . . . . 14 | 8. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 15 | |||
| 8.1. Normative References . . . . . . . . . . . . . . . . . . 14 | 8.1. CBOR Web Token Claims Registration . . . . . . . . . . . 15 | |||
| 8.2. Informative References . . . . . . . . . . . . . . . . . 15 | 8.1.1. Nonce Claim . . . . . . . . . . . . . . . . . . . . . 15 | |||
| Appendix A. Reference Implementation . . . . . . . . . . . . . . 16 | 8.1.2. Client ID Claim . . . . . . . . . . . . . . . . . . . 16 | |||
| Appendix B. Example . . . . . . . . . . . . . . . . . . . . . . 16 | 8.1.3. Instance ID Claim . . . . . . . . . . . . . . . . . . 16 | |||
| Contributors . . . . . . . . . . . . . . . . . . . . . . . . . . 18 | 8.1.4. Implementation ID Claim . . . . . . . . . . . . . . . 16 | |||
| Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . . . 19 | 8.1.5. Certification Reference Claim . . . . . . . . . . . . 17 | |||
| Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 19 | 8.1.6. Security Lifecycle Claim . . . . . . . . . . . . . . 17 | |||
| 8.1.7. Boot Seed Claim . . . . . . . . . . . . . . . . . . . 17 | ||||
| 8.1.8. Software Components Claim . . . . . . . . . . . . . . 18 | ||||
| 8.1.9. No Software Measurements Claim . . . . . . . . . . . 18 | ||||
| 8.1.10. Verification Service Indicator Claim . . . . . . . . 18 | ||||
| 8.1.11. Profile Definition Claim . . . . . . . . . . . . . . 19 | ||||
| 8.2. Media Type Registration . . . . . . . . . . . . . . . . . 19 | ||||
| 8.3. CoAP Content-Formats Registration . . . . . . . . . . . . 20 | ||||
| 8.3.1. Registry Contents . . . . . . . . . . . . . . . . . . 20 | ||||
| 9. References . . . . . . . . . . . . . . . . . . . . . . . . . 20 | ||||
| 9.1. Normative References . . . . . . . . . . . . . . . . . . 20 | ||||
| 9.2. Informative References . . . . . . . . . . . . . . . . . 22 | ||||
| Appendix A. Reference Implementation . . . . . . . . . . . . . . 22 | ||||
| Appendix B. Example . . . . . . . . . . . . . . . . . . . . . . 22 | ||||
| Contributors . . . . . . . . . . . . . . . . . . . . . . . . . . 24 | ||||
| Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . . . 24 | ||||
| Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 24 | ||||
| 1. Introduction | 1. Introduction | |||
| Trusted execution environments are now present in many devices, which | Trusted execution environments are now present in many devices, which | |||
| provide a safe environment to place security sensitive code such as | provide a safe environment to place security sensitive code such as | |||
| cryptography, secure boot, secure storage, and other essential | cryptography, secure boot, secure storage, and other essential | |||
| security functions. These security functions are typically exposed | security functions. These security functions are typically exposed | |||
| through a narrow and well-defined interface, and can be used by | through a narrow and well-defined interface, and can be used by | |||
| operating system libraries and applications. Various APIs have been | operating system libraries and applications. Various APIs have been | |||
| developed by Arm as part of the Platform Security Architecture [PSA] | developed by Arm as part of the Platform Security Architecture [PSA] | |||
| skipping to change at page 4, line 24 ¶ | skipping to change at page 4, line 41 ¶ | |||
| token. | token. | |||
| CDDL [RFC8610] along with text descriptions is used to define each | CDDL [RFC8610] along with text descriptions is used to define each | |||
| claim independent of encoding. The following CDDL type(s) are reused | claim independent of encoding. The following CDDL type(s) are reused | |||
| by different claims: | by different claims: | |||
| psa-hash-type = bytes .size 32 / bytes .size 48 / bytes .size 64 | psa-hash-type = bytes .size 32 / bytes .size 48 / bytes .size 64 | |||
| 3.1. Caller Claims | 3.1. Caller Claims | |||
| 3.1.1. Auth Challenge | 3.1.1. Nonce | |||
| The Auth Challenge claim is an input object from the caller. For | The Nonce claim is a challenge from the caller. The length must be | |||
| example, this can be a cryptographic nonce, a hash of locally | 32, 48, or 64 bytes. | |||
| attested data. The length must be 32, 48, or 64 bytes. | ||||
| This claim MUST be present in a PSA attestation token. | This claim MUST be present in a PSA attestation token. | |||
| psa-nonce-claim = ( | psa-nonce = ( | |||
| arm_psa_nonce => psa-hash-type | psa-nonce-key => psa-hash-type | |||
| ) | ) | |||
| 3.1.2. Client ID | 3.1.2. Client ID | |||
| The Client ID claim represents the Partition ID of the caller. It is | The Client ID claim represents the security domain of the caller. | |||
| a signed integer whereby negative values represent callers from the | ||||
| NSPE and where positive IDs represent callers from the SPE. The | In PSA, a security domain is represented by a signed integer whereby | |||
| value 0 is not permitted. For a definition of the Partition ID, see | negative values represent callers from the NSPE and where positive | |||
| the PSA Firmware Framework [PSA-FF]. | IDs represent callers from the SPE. The value 0 is not permitted. | |||
| For an example definition of client IDs, see the PSA Firmware | ||||
| Framework [PSA-FF]. | ||||
| It is essential that this claim is checked in the verification | It is essential that this claim is checked in the verification | |||
| process to ensure that a security domain, i.e., an attestation | process to ensure that a security domain, i.e., an attestation | |||
| endpoint, cannot spoof a report from another security domain. | endpoint, cannot spoof a report from another security domain. | |||
| This claim MUST be present in a PSA attestation token. | This claim MUST be present in a PSA attestation token. | |||
| Note that the CDDL label used to be called arm_psa_partition_id. | ||||
| psa-client-id-nspe-type = -2147483648...0 | psa-client-id-nspe-type = -2147483648...0 | |||
| psa-client-id-spe-type = 1..2147483647 | psa-client-id-spe-type = 1..2147483647 | |||
| psa-client-id-type = psa-client-id-nspe-type / psa-client-id-spe-type | psa-client-id-type = psa-client-id-nspe-type / psa-client-id-spe-type | |||
| psa-client-id = ( | psa-client-id = ( | |||
| arm_psa_partition_id => psa-client-id-type | psa-client-id-key => psa-client-id-type | |||
| ) | ) | |||
| 3.2. Target Identification Claims | 3.2. Target Identification Claims | |||
| 3.2.1. Instance ID | 3.2.1. Instance ID | |||
| The Instance ID claim represents the unique identifier of the device | The Instance ID claim represents the unique identifier of the device | |||
| instance. It is a 32 bytes hash of the public key corresponding to | instance. It is a 32 bytes hash of the public key corresponding to | |||
| the Initial Attestation Key (IAK). If the IAK is a symmetric key | the Initial Attestation Key (IAK). If the IAK is a symmetric key | |||
| then the Instance ID is a hash of the IAK itself. It is encoded as a | then the Instance ID is a hash of the hash of the IAK itself. It is | |||
| Universal Entity ID of type RAND [I-D.ietf-rats-eat], i.e., | encoded as a Universal Entity ID of type RAND [I-D.ietf-rats-eat], | |||
| prepending a 0x01 type byte to the key hash. The full definition is | i.e., prepending a 0x01 type byte to the key hash. The full | |||
| in [PSA-SM]. | definition is in [PSA-SM]. | |||
| This claim MUST be present in a PSA attestation token. | This claim MUST be present in a PSA attestation token. | |||
| psa-instance-id-type = bytes .size 33 | psa-instance-id-type = bytes .size 33 | |||
| psa-instance-id = ( | psa-instance-id = ( | |||
| arm_psa_UEID => psa-instance-id-type | psa-instance-id-key => psa-instance-id-type | |||
| ) | ) | |||
| 3.2.2. Implementation ID | 3.2.2. Implementation ID | |||
| The Implementation ID claim uniquely identifies the underlying | The Implementation ID claim uniquely identifies the underlying | |||
| immutable PSA RoT. A verification service can use this claim to | immutable PSA RoT. A verification service can use this claim to | |||
| locate the details of the verification process. Such details include | locate the details of the verification process. Such details include | |||
| the implementation's origin and associated certification state. The | the implementation's origin and associated certification state. The | |||
| full definition is in [PSA-SM]. | full definition is in [PSA-SM]. | |||
| This claim MUST be present in a PSA attestation token. | This claim MUST be present in a PSA attestation token. | |||
| psa-implementation-id-type = bytes .size 32 | psa-implementation-id-type = bytes .size 32 | |||
| psa-implementation-id = ( | psa-implementation-id = ( | |||
| arm_psa_implementation_id => psa-implementation-id-type | psa-implementation-id-key => psa-implementation-id-type | |||
| ) | ) | |||
| 3.2.3. Hardware Version | 3.2.3. Certification Reference | |||
| The Hardware Version claim provides metadata linking the token to the | The Certification Reference claim is used to link the class of chip | |||
| GDSII that went to fabrication for this instance. It can be used to | and PSA RoT of the attesting device to an associated entry in the PSA | |||
| link the class of chip and PSA RoT to the data on a certification | Certification database. It MUST be represented as a thirteen-digit | |||
| website. It MUST be represented as a thirteen-digit [EAN-13]. | [EAN-13]. | |||
| psa-hardware-version-type = text .regexp "[0-9]{13}" | Linking to the PSA Certification entry can still be achieved if this | |||
| claim is not present in the token by making an association at a | ||||
| Verifier between the reference value and other token claim values - | ||||
| for example, the Implementation ID. | ||||
| psa-hardware-version = ( | psa-certification-reference-type = text .regexp "[0-9]{13}" | |||
| ? arm_psa_hw_version => psa-hardware-version-type | ||||
| psa-certification-reference = ( | ||||
| ? psa-certification-reference-key => | ||||
| psa-certification-reference-type | ||||
| ) | ) | |||
| 3.3. Target State Claims | 3.3. Target State Claims | |||
| 3.3.1. Security Lifecycle | 3.3.1. Security Lifecycle | |||
| The Security Lifecycle claim represents the current lifecycle state | The Security Lifecycle claim represents the current lifecycle state | |||
| of the PSA RoT. The state is represented by an integer that is | of the PSA RoT. The state is represented by an integer that is | |||
| divided to convey a major state and a minor state. A major state is | divided to convey a major state and a minor state. A major state is | |||
| mandatory and defined by [PSA-SM]. A minor state is optional and | mandatory and defined by [PSA-SM]. A minor state is optional and | |||
| skipping to change at page 7, line 46 ¶ | skipping to change at page 8, line 23 ¶ | |||
| psa-lifecycle-type = | psa-lifecycle-type = | |||
| psa-lifecycle-unknown-type / | psa-lifecycle-unknown-type / | |||
| psa-lifecycle-assembly-and-test-type / | psa-lifecycle-assembly-and-test-type / | |||
| psa-lifecycle-psa-rot-provisioning-type / | psa-lifecycle-psa-rot-provisioning-type / | |||
| psa-lifecycle-secured-type / | psa-lifecycle-secured-type / | |||
| psa-lifecycle-non-psa-rot-debug-type / | psa-lifecycle-non-psa-rot-debug-type / | |||
| psa-lifecycle-recoverable-psa-rot-debug-type / | psa-lifecycle-recoverable-psa-rot-debug-type / | |||
| psa-lifecycle-decommissioned-type | psa-lifecycle-decommissioned-type | |||
| psa-lifecycle = ( | psa-lifecycle = ( | |||
| arm_psa_security_lifecycle => psa-lifecycle-type | psa-lifecycle-key => psa-lifecycle-type | |||
| ) | ) | |||
| 3.3.2. Boot Seed | 3.3.2. Boot Seed | |||
| The Boot Seed claim represents a random value created at system boot | The Boot Seed claim represents a random value created at system boot | |||
| time that will allow differentiation of reports from different boot | time that will allow differentiation of reports from different boot | |||
| sessions. | sessions. | |||
| This claim MUST be present in a PSA attestation token. | This claim MUST be present in a PSA attestation token. | |||
| psa-boot-seed-type = bytes .size 32 | psa-boot-seed-type = bytes .size 32 | |||
| psa-boot-seed = ( | psa-boot-seed = ( | |||
| arm_psa_boot_seed => psa-boot-seed-type | psa-boot-seed-key => psa-boot-seed-type | |||
| ) | ) | |||
| 3.4. Software Inventory Claims | 3.4. Software Inventory Claims | |||
| 3.4.1. Software Components | 3.4.1. Software Components | |||
| The Software Components claim is a list of software components that | The Software Components claim is a list of software components that | |||
| includes all the software loaded by the PSA RoT. This claim SHALL be | includes all the software loaded by the PSA RoT. This claim SHALL be | |||
| included in attestation tokens produced by an implementation | included in attestation tokens produced by an implementation | |||
| conformant with [PSA-SM]. If the Software Components claim is | conformant with [PSA-SM]. If the Software Components claim is | |||
| skipping to change at page 9, line 6 ¶ | skipping to change at page 9, line 21 ¶ | |||
| party will typically see the result of the verification process from | party will typically see the result of the verification process from | |||
| the Verifier in form of an attestation result, rather than the | the Verifier in form of an attestation result, rather than the | |||
| "naked" PSA token from the attesting endpoint. Therefore, a relying | "naked" PSA token from the attesting endpoint. Therefore, a relying | |||
| party is not expected to understand the Software Components claim. | party is not expected to understand the Software Components claim. | |||
| Instead, it is for the Verifier to check this claim against the | Instead, it is for the Verifier to check this claim against the | |||
| available endorsements and provide an answer in form of an "high | available endorsements and provide an answer in form of an "high | |||
| level" attestation result, which may or may not include the original | level" attestation result, which may or may not include the original | |||
| Software Components claim. | Software Components claim. | |||
| psa-software-component = { | psa-software-component = { | |||
| ? 1 => text, ; measurement type | ? 1 => text, ; measurement type | |||
| 2 => psa-hash-type, ; measurement value | 2 => psa-hash-type, ; measurement value | |||
| ? 4 => text, ; version | ? 4 => text, ; version | |||
| 5 => psa-hash-type, ; signer id | 5 => psa-hash-type, ; signer id | |||
| ? 6 => text, ; measurement description | ? 6 => text, ; measurement description | |||
| } | } | |||
| psa-software-components = ( | psa-software-components = ( | |||
| arm_psa_sw_components => [ + psa-software-component ] | psa-software-components-key => [ + psa-software-component ] | |||
| ) | ) | |||
| 3.4.1.1. Measurement Type | 3.4.1.1. Measurement Type | |||
| The Measurement Type attribute (key=1) is short string representing | The Measurement Type attribute (key=1) is short string representing | |||
| the role of this software component. | the role of this software component. | |||
| The following measurement types MAY be used: | The following measurement types MAY be used: | |||
| * "BL": a Boot Loader | * "BL": a Boot Loader | |||
| skipping to change at page 10, line 38 ¶ | skipping to change at page 11, line 8 ¶ | |||
| In the event that the implementation does not contain any software | In the event that the implementation does not contain any software | |||
| measurements then the Software Components claim Section 3.4.1 can be | measurements then the Software Components claim Section 3.4.1 can be | |||
| omitted but instead the token MUST include this claim to indicate | omitted but instead the token MUST include this claim to indicate | |||
| this is a deliberate state. The value SHOULD be 1. This claim is | this is a deliberate state. The value SHOULD be 1. This claim is | |||
| intended for devices that are not compliant with [PSA-SM]. | intended for devices that are not compliant with [PSA-SM]. | |||
| psa-no-sw-measurements-type = 1 | psa-no-sw-measurements-type = 1 | |||
| psa-no-sw-measurement = ( | psa-no-sw-measurement = ( | |||
| arm_psa_no_sw_measurements => psa-no-sw-measurements-type | psa-no-sw-measurement-key => psa-no-sw-measurements-type | |||
| ) | ) | |||
| 3.5. Verification Claims | 3.5. Verification Claims | |||
| 3.5.1. Verification Service Indicator | 3.5.1. Verification Service Indicator | |||
| The Verification Service Indicator claim is a hint used by a relying | The Verification Service Indicator claim is a hint used by a relying | |||
| party to locate a validation service for the token. The value is a | party to locate a validation service for the token. The value is a | |||
| text string that can be used to locate the service or a URL | text string that can be used to locate the service or a URL | |||
| specifying the address of the service. A verifier may choose to | specifying the address of the service. A verifier may choose to | |||
| ignore this claim in favor of other information. | ignore this claim in favor of other information. | |||
| psa-verification-service-indicator-type = text | psa-verification-service-indicator-type = text | |||
| psa-verification-service-indicator = ( | psa-verification-service-indicator = ( | |||
| ? arm_psa_origination => psa-verification-service-indicator-type | ? psa-verification-service-indicator-key => | |||
| psa-verification-service-indicator-type | ||||
| ) | ) | |||
| 3.5.2. Profile Definition | 3.5.2. Profile Definition | |||
| The Profile Definition claim contains the name of a document that | The Profile Definition claim contains the name of a document that | |||
| describes the "profile" of the report. The document name may include | describes the "profile" of the report. The document name may include | |||
| versioning. The value for this specification MUST be | versioning. The value for this specification MUST be | |||
| PSA_IOT_PROFILE_1. | PSA_IOT_PROFILE_1. | |||
| psa-profile-type = "PSA_IOT_PROFILE_1" | psa-profile-type = "PSA_IOT_PROFILE_1" | |||
| psa-profile = ( | psa-profile = ( | |||
| ? arm_psa_profile_id => psa-profile-type | ? psa-profile-key => psa-profile-type | |||
| ) | ) | |||
| 4. Token Encoding and Signing | 4. Token Encoding and Signing | |||
| The report is encoded as a COSE Web Token (CWT) [RFC8392], similar to | The report is encoded as a COSE Web Token (CWT) [RFC8392], similar to | |||
| the Entity Attestation Token (EAT) [I-D.ietf-rats-eat]. The token | the Entity Attestation Token (EAT) [I-D.ietf-rats-eat]. The token | |||
| consists of a series of claims declaring evidence as to the nature of | consists of a series of claims declaring evidence as to the nature of | |||
| the instance of hardware and software. The claims are encoded in | the instance of hardware and software. The claims are encoded in | |||
| CBOR [RFC7049] format. For asymmetric key algorithms, the signature | CBOR [RFC7049] format. For asymmetric key algorithms, the signature | |||
| structure MUST be COSE-Sign1. For symmetric key algorithms, the | structure MUST be COSE_Sign1. For symmetric key algorithms, the | |||
| structure MUST be COSE-Mac0. | structure MUST be COSE_Mac0. | |||
| 5. Collated CDDL | 5. Collated CDDL | |||
| psa-token = { | psa-token = { | |||
| psa-nonce-claim, | psa-nonce, | |||
| psa-instance-id, | psa-instance-id, | |||
| psa-verification-service-indicator, | psa-verification-service-indicator, | |||
| psa-profile, | psa-profile, | |||
| psa-implementation-id, | psa-implementation-id, | |||
| psa-client-id, | psa-client-id, | |||
| psa-lifecycle, | psa-lifecycle, | |||
| psa-hardware-version, | psa-certification-reference, | |||
| psa-boot-seed, | psa-boot-seed, | |||
| ( psa-software-components // psa-no-sw-measurement ), | ( psa-software-components // psa-no-sw-measurement ), | |||
| } | } | |||
| arm_psa_profile_id = -75000 | psa-profile-key = -75000 | |||
| arm_psa_partition_id = -75001 | psa-client-id-key = -75001 | |||
| arm_psa_security_lifecycle = -75002 | psa-lifecycle-key = -75002 | |||
| arm_psa_implementation_id = -75003 | psa-implementation-id-key = -75003 | |||
| arm_psa_boot_seed = -75004 | psa-boot-seed-key = -75004 | |||
| arm_psa_hw_version = -75005 | psa-certification-reference-key = -75005 | |||
| arm_psa_sw_components = -75006 | psa-software-components-key = -75006 | |||
| arm_psa_no_sw_measurements = -75007 | psa-no-sw-measurement-key = -75007 | |||
| arm_psa_nonce = -75008 | psa-nonce-key = -75008 | |||
| arm_psa_UEID = -75009 | psa-instance-id-key = -75009 | |||
| arm_psa_origination = -75010 | psa-verification-service-indicator-key = -75010 | |||
| psa-hash-type = bytes .size 32 / bytes .size 48 / bytes .size 64 | psa-hash-type = bytes .size 32 / bytes .size 48 / bytes .size 64 | |||
| psa-boot-seed-type = bytes .size 32 | psa-boot-seed-type = bytes .size 32 | |||
| psa-boot-seed = ( | psa-boot-seed = ( | |||
| arm_psa_boot_seed => psa-boot-seed-type | psa-boot-seed-key => psa-boot-seed-type | |||
| ) | ) | |||
| psa-client-id-nspe-type = -2147483648...0 | psa-client-id-nspe-type = -2147483648...0 | |||
| psa-client-id-spe-type = 1..2147483647 | psa-client-id-spe-type = 1..2147483647 | |||
| psa-client-id-type = psa-client-id-nspe-type / psa-client-id-spe-type | psa-client-id-type = psa-client-id-nspe-type / psa-client-id-spe-type | |||
| psa-client-id = ( | psa-client-id = ( | |||
| arm_psa_partition_id => psa-client-id-type | psa-client-id-key => psa-client-id-type | |||
| ) | ) | |||
| psa-hardware-version-type = text .regexp "[0-9]{13}" | psa-certification-reference-type = text .regexp "[0-9]{13}" | |||
| psa-hardware-version = ( | psa-certification-reference = ( | |||
| ? arm_psa_hw_version => psa-hardware-version-type | ? psa-certification-reference-key => | |||
| psa-certification-reference-type | ||||
| ) | ) | |||
| psa-implementation-id-type = bytes .size 32 | psa-implementation-id-type = bytes .size 32 | |||
| psa-implementation-id = ( | psa-implementation-id = ( | |||
| arm_psa_implementation_id => psa-implementation-id-type | psa-implementation-id-key => psa-implementation-id-type | |||
| ) | ) | |||
| psa-instance-id-type = bytes .size 33 | psa-instance-id-type = bytes .size 33 | |||
| psa-instance-id = ( | psa-instance-id = ( | |||
| arm_psa_UEID => psa-instance-id-type | psa-instance-id-key => psa-instance-id-type | |||
| ) | ) | |||
| psa-no-sw-measurements-type = 1 | psa-no-sw-measurements-type = 1 | |||
| psa-no-sw-measurement = ( | psa-no-sw-measurement = ( | |||
| arm_psa_no_sw_measurements => psa-no-sw-measurements-type | psa-no-sw-measurement-key => psa-no-sw-measurements-type | |||
| ) | ) | |||
| psa-nonce-claim = ( | ||||
| arm_psa_nonce => psa-hash-type | psa-nonce = ( | |||
| psa-nonce-key => psa-hash-type | ||||
| ) | ) | |||
| psa-profile-type = "PSA_IOT_PROFILE_1" | psa-profile-type = "PSA_IOT_PROFILE_1" | |||
| psa-profile = ( | psa-profile = ( | |||
| ? arm_psa_profile_id => psa-profile-type | ? psa-profile-key => psa-profile-type | |||
| ) | ) | |||
| psa-lifecycle-unknown-type = 0x0000..0x00ff | psa-lifecycle-unknown-type = 0x0000..0x00ff | |||
| psa-lifecycle-assembly-and-test-type = 0x1000..0x10ff | psa-lifecycle-assembly-and-test-type = 0x1000..0x10ff | |||
| psa-lifecycle-psa-rot-provisioning-type = 0x2000..0x20ff | psa-lifecycle-psa-rot-provisioning-type = 0x2000..0x20ff | |||
| psa-lifecycle-secured-type = 0x3000..0x30ff | psa-lifecycle-secured-type = 0x3000..0x30ff | |||
| psa-lifecycle-non-psa-rot-debug-type = 0x4000..0x40ff | psa-lifecycle-non-psa-rot-debug-type = 0x4000..0x40ff | |||
| psa-lifecycle-recoverable-psa-rot-debug-type = 0x5000..0x50ff | psa-lifecycle-recoverable-psa-rot-debug-type = 0x5000..0x50ff | |||
| psa-lifecycle-decommissioned-type = 0x6000..0x60ff | psa-lifecycle-decommissioned-type = 0x6000..0x60ff | |||
| psa-lifecycle-type = | psa-lifecycle-type = | |||
| psa-lifecycle-unknown-type / | psa-lifecycle-unknown-type / | |||
| psa-lifecycle-assembly-and-test-type / | psa-lifecycle-assembly-and-test-type / | |||
| psa-lifecycle-psa-rot-provisioning-type / | psa-lifecycle-psa-rot-provisioning-type / | |||
| psa-lifecycle-secured-type / | psa-lifecycle-secured-type / | |||
| psa-lifecycle-non-psa-rot-debug-type / | psa-lifecycle-non-psa-rot-debug-type / | |||
| psa-lifecycle-recoverable-psa-rot-debug-type / | psa-lifecycle-recoverable-psa-rot-debug-type / | |||
| psa-lifecycle-decommissioned-type | psa-lifecycle-decommissioned-type | |||
| psa-lifecycle = ( | psa-lifecycle = ( | |||
| arm_psa_security_lifecycle => psa-lifecycle-type | psa-lifecycle-key => psa-lifecycle-type | |||
| ) | ) | |||
| psa-software-component = { | psa-software-component = { | |||
| ? 1 => text, ; measurement type | ? 1 => text, ; measurement type | |||
| 2 => psa-hash-type, ; measurement value | 2 => psa-hash-type, ; measurement value | |||
| ? 4 => text, ; version | ? 4 => text, ; version | |||
| 5 => psa-hash-type, ; signer id | 5 => psa-hash-type, ; signer id | |||
| ? 6 => text, ; measurement description | ? 6 => text, ; measurement description | |||
| } | } | |||
| psa-software-components = ( | psa-software-components = ( | |||
| arm_psa_sw_components => [ + psa-software-component ] | psa-software-components-key => [ + psa-software-component ] | |||
| ) | ) | |||
| psa-verification-service-indicator-type = text | psa-verification-service-indicator-type = text | |||
| psa-verification-service-indicator = ( | psa-verification-service-indicator = ( | |||
| ? arm_psa_origination => psa-verification-service-indicator-type | ? psa-verification-service-indicator-key => | |||
| psa-verification-service-indicator-type | ||||
| ) | ) | |||
| 6. Security and Privacy Considerations | 6. Security and Privacy Considerations | |||
| This specification re-uses the CWT and the EAT specification. Hence, | This specification re-uses the CWT and the EAT specification. Hence, | |||
| the security and privacy considerations of those specifications apply | the security and privacy considerations of those specifications apply | |||
| here as well. | here as well. | |||
| Since CWTs offer different ways to protect the token, this | Since CWTs offer different ways to protect the token, this | |||
| specification profiles those options and allows signatures based on | specification profiles those options and allows signatures based on | |||
| use of public key cryptography as well as MAC authentication. The | use of public key cryptography as well as MAC authentication. The | |||
| token MUST be signed following the structure of the COSE | token MUST be signed following the structure of the COSE | |||
| specification [RFC8152]. The COSE type MUST be COSE-Sign1 for public | specification [RFC8152]. The COSE type MUST be COSE_Sign1 for public | |||
| key signatures or COSE-Mac0 for MAC authentication. Note however | key signatures or COSE_Mac0 for MAC authentication. Note however | |||
| that use of MAC authentication is NOT RECOMMENDED due to the | that use of MAC authentication is NOT RECOMMENDED due to the | |||
| associated infrastructure costs for key management and protocol | associated infrastructure costs for key management and protocol | |||
| complexities. It may also restrict the ability to interoperate with | complexities. It may also restrict the ability to interoperate with | |||
| third parties. | third parties. | |||
| Attestation tokens contain information that may be unique to a device | Attestation tokens contain information that may be unique to a device | |||
| and therefore they may allow to single out an individual device for | and therefore they may allow to single out an individual device for | |||
| tracking purposes. Implementations that have privacy requirements | tracking purposes. Implementations that have privacy requirements | |||
| must take appropriate measures to ensure that the token is only used | must take appropriate measures to ensure that the token is only used | |||
| to provision anonymous/pseudonym keys. | to provision anonymous/pseudonym keys. | |||
| 7. IANA Considerations | 7. Verification | |||
| IANA is requested to allocate the claims defined in Section 3 to the | To verify the token, the primary need is to check correct formation | |||
| CBOR Web Token (CWT) Claims registry [IANA-CWT]. The change | and signing as for any CWT token. In addition though, the verifier | |||
| controller are the authors and the reference is this document. | can operate a policy where values of some of the claims in this | |||
| profile can be compared to reference values, registered with the | ||||
| verifier for a given deployment, in order to confirm that the device | ||||
| is endorsed by the manufacturer supply chain. The policy may require | ||||
| that the relevant claims must have a match to a registered reference | ||||
| value. All claims may be worthy of additional appraisal. It is | ||||
| likely that most deployments would include a policy with appraisal | ||||
| for the following claims: | ||||
| 8. References | * Instance ID - the value of the Instance ID can be used (together | |||
| with the kid in the token COSE header, if present) to assist in | ||||
| locating the public key used to verify the token signature. | ||||
| 8.1. Normative References | * Implementation ID - the value of the Implementation ID can be used | |||
| to identify the verification requirements of the deployment. | ||||
| * Software Component, Measurement Value - this value can uniquely | ||||
| identify a firmware release from the supply chain. In some cases, | ||||
| a verifier may maintain a record for a series of firmware | ||||
| releases, being patches to an original baseline release. A | ||||
| verification policy may then allow this value to match any point | ||||
| on that release sequence or expect some minimum level of maturity | ||||
| related to the sequence. | ||||
| * Software Component, Signer ID - where present in a deployment, | ||||
| this could allow a verifier to operate a more general policy than | ||||
| that for Measurement Value as above, by allowing a token to | ||||
| contain any firmware entries signed by a known Signer ID, without | ||||
| checking for a uniquely registered version. | ||||
| 8. IANA Considerations | ||||
| 8.1. CBOR Web Token Claims Registration | ||||
| This specification registers the following claims in the IANA "CBOR | ||||
| Web Token (CWT) Claims" registry [IANA-CWT], established by | ||||
| [RFC8392]. | ||||
| 8.1.1. Nonce Claim | ||||
| * Claim Name: "psa-nonce" | ||||
| * Claim Description: Nonce | ||||
| * JWT Claim Name: "psa-nonce" | ||||
| * Claim Key: [[Proposed: -75008]] | ||||
| * Claim Value Type(s): bytes (32, 48, or 64 bytes in length) | ||||
| * Change Controller: [[Authors of this RFC]] | ||||
| * Specification Document(s): Section 3.1.1 of [[this RFC]] | ||||
| 8.1.2. Client ID Claim | ||||
| * Claim Name: "psa-client-id" | ||||
| * Claim Description: Client ID | ||||
| * JWT Claim Name: "psa-client-id" | ||||
| * Claim Key: [[Proposed: -75001]] | ||||
| * Claim Value Type(s): signed integer | ||||
| * Change Controller: [[Authors of this RFC]] | ||||
| * Specification Document(s): Section 3.1.2 of [[this RFC]] | ||||
| 8.1.3. Instance ID Claim | ||||
| * Claim Name: "psa-instance-id" | ||||
| * Claim Description: Instance ID | ||||
| * JWT Claim Name: "psa-instance-id" | ||||
| * Claim Key: [[Proposed: -75009]] | ||||
| * Claim Value Type(s): bytes (33 bytes in length) | ||||
| * Change Controller: [[Authors of this RFC]] | ||||
| * Specification Document(s): Section 3.2.1 of [[this RFC]] | ||||
| 8.1.4. Implementation ID Claim | ||||
| * Claim Name: "psa-implementation-id" | ||||
| * Claim Description: Implementation ID | ||||
| * JWT Claim Name: "psa-implementation-id" | ||||
| * Claim Key: [[Proposed: -75003]] | ||||
| * Claim Value Type(s): bytes (32 bytes in length) | ||||
| * Change Controller: [[Authors of this RFC]] | ||||
| * Specification Document(s): Section 3.2.2 of [[this RFC]] | ||||
| 8.1.5. Certification Reference Claim | ||||
| * Claim Name: "psa-certification-reference" | ||||
| * Claim Description: Certification Reference | ||||
| * JWT Claim Name: "psa-certification-reference" | ||||
| * Claim Key: [[Proposed: -75005]] | ||||
| * Claim Value Type(s): text | ||||
| * Change Controller: [[Authors of this RFC]] | ||||
| * Specification Document(s): Section 3.2.3 of [[this RFC]] | ||||
| 8.1.6. Security Lifecycle Claim | ||||
| * Claim Name: "psa-lifecycle" | ||||
| * Claim Description: Security Lifecycle | ||||
| * JWT Claim Name: "psa-lifecycle" | ||||
| * Claim Key: [[Proposed: -75002]] | ||||
| * Claim Value Type(s): unsigned integer | ||||
| * Change Controller: [[Authors of this RFC]] | ||||
| * Specification Document(s): Section 3.3.1 of [[this RFC]] | ||||
| 8.1.7. Boot Seed Claim | ||||
| * Claim Name: "psa-boot-seed" | ||||
| * Claim Description: Boot Seed | ||||
| * JWT Claim Name: "psa-boot-seed" | ||||
| * Claim Key: [[Proposed: -75004]] | ||||
| * Claim Value Type(s): bytes (32 bytes in length) | ||||
| * Change Controller: [[Authors of this RFC]] | ||||
| * Specification Document(s): Section 3.3.2 of [[this RFC]] | ||||
| 8.1.8. Software Components Claim | ||||
| * Claim Name: "psa-software-components" | ||||
| * Claim Description: Software Components | ||||
| * JWT Claim Name: "psa-software-components" | ||||
| * Claim Key: [[Proposed: -75006]] | ||||
| * Claim Value Type(s): array | ||||
| * Change Controller: [[Authors of this RFC]] | ||||
| * Specification Document(s): Section 3.4.1 of [[this RFC]] | ||||
| 8.1.9. No Software Measurements Claim | ||||
| * Claim Name: "psa-no-sw-measurement" | ||||
| * Claim Description: No Software Measurements | ||||
| * JWT Claim Name: "psa-no-sw-measurement" | ||||
| * Claim Key: [[Proposed: -75007]] | ||||
| * Claim Value Type(s): unsigned integer | ||||
| * Change Controller: [[Authors of this RFC]] | ||||
| * Specification Document(s): Section 3.4.2 of [[this RFC]] | ||||
| 8.1.10. Verification Service Indicator Claim | ||||
| * Claim Name: "psa-verification-service-indicator" | ||||
| * Claim Description: Verification Service Indicator | ||||
| * JWT Claim Name: "psa-verification-service-indicator" | ||||
| * Claim Key: [[Proposed: -75010]] | ||||
| * Claim Value Type(s): text | ||||
| * Change Controller: [[Authors of this RFC]] | ||||
| * Specification Document(s): Section 3.5.1 of [[this RFC]] | ||||
| 8.1.11. Profile Definition Claim | ||||
| * Claim Name: "psa-profile" | ||||
| * Claim Description: Profile Definition | ||||
| * JWT Claim Name: "psa-profile" | ||||
| * Claim Key: [[Proposed: -75000]] | ||||
| * Claim Value Type(s): text | ||||
| * Change Controller: [[Authors of this RFC]] | ||||
| * Specification Document(s): Section 3.5.2 of [[this RFC]] | ||||
| 8.2. Media Type Registration | ||||
| IANA is requested to register the "application/psa-attestation-token" | ||||
| media type [RFC2046] in the "Media Types" registry [IANA-MediaTypes] | ||||
| in the manner described in RFC 6838 [RFC6838], which can be used to | ||||
| indicate that the content is a PSA Attestation Token. | ||||
| * Type name: application | ||||
| * Subtype name: psa-attestation-token | ||||
| * Required parameters: n/a | ||||
| * Optional parameters: n/a | ||||
| * Encoding considerations: binary | ||||
| * Security considerations: See the Security Considerations section | ||||
| of [[this RFC]] | ||||
| * Interoperability considerations: n/a | ||||
| * Published specification: [[this RFC]] | ||||
| * Applications that use this media type: Attesters and Relying | ||||
| Parties sending PSA attestation tokens over HTTP(S), CoAP(S), and | ||||
| other transports. | ||||
| * Fragment identifier considerations: n/a | ||||
| * Additional information: | ||||
| - Magic number(s): n/a | ||||
| - File extension(s): n/a | ||||
| - Macintosh file type code(s): n/a | ||||
| * Person & email address to contact for further information: Hannes | ||||
| Tschofenig, Hannes.Tschofenig@arm.com | ||||
| * Intended usage: COMMON | ||||
| * Restrictions on usage: none | ||||
| * Author: Hannes Tschofenig, Hannes.Tschofenig@arm.com | ||||
| * Change controller: IESG | ||||
| * Provisional registration? No | ||||
| 8.3. CoAP Content-Formats Registration | ||||
| IANA is requested to register the CoAP Content-Format ID for the | ||||
| "application/psa-attestation-token" media type in the "CoAP Content- | ||||
| Formats" registry [IANA-CoAP-Content-Formats]. | ||||
| 8.3.1. Registry Contents | ||||
| * Media Type: application/psa-attestation-token | ||||
| * Encoding: - | ||||
| * Id: [[To-be-assigned by IANA]] | ||||
| * Reference: [[this RFC]] | ||||
| 9. References | ||||
| 9.1. Normative References | ||||
| [EAN-13] GS1, "International Article Number - EAN/UPC barcodes", | [EAN-13] GS1, "International Article Number - EAN/UPC barcodes", | |||
| 2019, <https://www.gs1.org/standards/barcodes/ean-upc>. | 2019, <https://www.gs1.org/standards/barcodes/ean-upc>. | |||
| [PSA-FF] Arm, "Platform Security Architecture Firmware Framework | [PSA-FF] Arm, "Platform Security Architecture Firmware Framework | |||
| 1.0 (PSA-FF)", February 2019, | 1.0 (PSA-FF)", February 2019, | |||
| <https://pages.arm.com/psa-resources-ff.html>. | <https://pages.arm.com/psa-resources-ff.html>. | |||
| [PSA-SM] Arm, "Platform Security Architecture Security Model 1.0 | [PSA-SM] Arm, "Platform Security Architecture Security Model 1.0 | |||
| (PSA-SM)", February 2019, | (PSA-SM)", February 2019, | |||
| <https://pages.arm.com/psa-resources-sm.html>. | <https://pages.arm.com/psa-resources-sm.html>. | |||
| [RFC2046] Freed, N. and N. Borenstein, "Multipurpose Internet Mail | ||||
| Extensions (MIME) Part Two: Media Types", RFC 2046, | ||||
| DOI 10.17487/RFC2046, November 1996, | ||||
| <https://www.rfc-editor.org/info/rfc2046>. | ||||
| [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate | [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate | |||
| Requirement Levels", BCP 14, RFC 2119, | Requirement Levels", BCP 14, RFC 2119, | |||
| DOI 10.17487/RFC2119, March 1997, | DOI 10.17487/RFC2119, March 1997, | |||
| <https://www.rfc-editor.org/info/rfc2119>. | <https://www.rfc-editor.org/info/rfc2119>. | |||
| [RFC6838] Freed, N., Klensin, J., and T. Hansen, "Media Type | ||||
| Specifications and Registration Procedures", BCP 13, | ||||
| RFC 6838, DOI 10.17487/RFC6838, January 2013, | ||||
| <https://www.rfc-editor.org/info/rfc6838>. | ||||
| [RFC7049] Bormann, C. and P. Hoffman, "Concise Binary Object | [RFC7049] Bormann, C. and P. Hoffman, "Concise Binary Object | |||
| Representation (CBOR)", RFC 7049, DOI 10.17487/RFC7049, | Representation (CBOR)", RFC 7049, DOI 10.17487/RFC7049, | |||
| October 2013, <https://www.rfc-editor.org/info/rfc7049>. | October 2013, <https://www.rfc-editor.org/info/rfc7049>. | |||
| [RFC8152] Schaad, J., "CBOR Object Signing and Encryption (COSE)", | [RFC8152] Schaad, J., "CBOR Object Signing and Encryption (COSE)", | |||
| RFC 8152, DOI 10.17487/RFC8152, July 2017, | RFC 8152, DOI 10.17487/RFC8152, July 2017, | |||
| <https://www.rfc-editor.org/info/rfc8152>. | <https://www.rfc-editor.org/info/rfc8152>. | |||
| [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC | [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC | |||
| 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, | 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, | |||
| skipping to change at page 15, line 27 ¶ | skipping to change at page 22, line 5 ¶ | |||
| [RFC8392] Jones, M., Wahlstroem, E., Erdtman, S., and H. Tschofenig, | [RFC8392] Jones, M., Wahlstroem, E., Erdtman, S., and H. Tschofenig, | |||
| "CBOR Web Token (CWT)", RFC 8392, DOI 10.17487/RFC8392, | "CBOR Web Token (CWT)", RFC 8392, DOI 10.17487/RFC8392, | |||
| May 2018, <https://www.rfc-editor.org/info/rfc8392>. | May 2018, <https://www.rfc-editor.org/info/rfc8392>. | |||
| [RFC8610] Birkholz, H., Vigano, C., and C. Bormann, "Concise Data | [RFC8610] Birkholz, H., Vigano, C., and C. Bormann, "Concise Data | |||
| Definition Language (CDDL): A Notational Convention to | Definition Language (CDDL): A Notational Convention to | |||
| Express Concise Binary Object Representation (CBOR) and | Express Concise Binary Object Representation (CBOR) and | |||
| JSON Data Structures", RFC 8610, DOI 10.17487/RFC8610, | JSON Data Structures", RFC 8610, DOI 10.17487/RFC8610, | |||
| June 2019, <https://www.rfc-editor.org/info/rfc8610>. | June 2019, <https://www.rfc-editor.org/info/rfc8610>. | |||
| 8.2. Informative References | 9.2. Informative References | |||
| [I-D.ietf-rats-architecture] | [I-D.ietf-rats-architecture] | |||
| Birkholz, H., Thaler, D., Richardson, M., and N. Smith, | Birkholz, H., Thaler, D., Richardson, M., Smith, N., and | |||
| "Remote Attestation Procedures Architecture", Work in | W. Pan, "Remote Attestation Procedures Architecture", Work | |||
| Progress, Internet-Draft, draft-ietf-rats-architecture-01, | in Progress, Internet-Draft, draft-ietf-rats-architecture- | |||
| 4 February 2020, <http://www.ietf.org/internet-drafts/ | 07, 16 October 2020, <http://www.ietf.org/internet-drafts/ | |||
| draft-ietf-rats-architecture-01.txt>. | draft-ietf-rats-architecture-07.txt>. | |||
| [I-D.ietf-rats-eat] | [I-D.ietf-rats-eat] | |||
| Mandyam, G., Lundblade, L., Ballesteros, M., and J. | Mandyam, G., Lundblade, L., Ballesteros, M., and J. | |||
| O'Donoghue, "The Entity Attestation Token (EAT)", Work in | O'Donoghue, "The Entity Attestation Token (EAT)", Work in | |||
| Progress, Internet-Draft, draft-ietf-rats-eat-03, 20 | Progress, Internet-Draft, draft-ietf-rats-eat-04, 31 | |||
| February 2020, <http://www.ietf.org/internet-drafts/draft- | August 2020, <http://www.ietf.org/internet-drafts/draft- | |||
| ietf-rats-eat-03.txt>. | ietf-rats-eat-04.txt>. | |||
| [IANA-CoAP-Content-Formats] | ||||
| IANA, "CoAP Content-Formats", 2020, | ||||
| <https://www.iana.org/assignments/core-parameters>. | ||||
| [IANA-CWT] IANA, "CBOR Web Token (CWT) Claims", 2020, | [IANA-CWT] IANA, "CBOR Web Token (CWT) Claims", 2020, | |||
| <https://www.iana.org/assignments/cwt/cwt.xhtml>. | <https://www.iana.org/assignments/cwt/cwt.xhtml>. | |||
| [IANA-MediaTypes] | ||||
| IANA, "Media Types", 2020, | ||||
| <http://www.iana.org/assignments/media-types>. | ||||
| [PSA] Arm, "Platform Security Architecture Resources", 2019, | [PSA] Arm, "Platform Security Architecture Resources", 2019, | |||
| <https://www.arm.com/why-arm/architecture/platform- | <https://www.arm.com/why-arm/architecture/platform- | |||
| security-architecture/psa-resources>. | security-architecture/psa-resources>. | |||
| [TF-M] Linaro, "Trusted Firmware", 2020, | [TF-M] Linaro, "Trusted Firmware", 2020, | |||
| <https://www.trustedfirmware.org>. | <https://www.trustedfirmware.org>. | |||
| Appendix A. Reference Implementation | Appendix A. Reference Implementation | |||
| A reference implementation is provided by the Trusted Firmware | A reference implementation is provided by the Trusted Firmware | |||
| project [TF-M]. | project [TF-M]. | |||
| Appendix B. Example | Appendix B. Example | |||
| The following example shows an attestation token that was produced | The following example shows a PSA attestation token for an | |||
| for a device that has a single-stage bootloader, and an RTOS with a | hypothetical system comprising two measured software components (a | |||
| device management client. From a code point of view, the RTOS and | boot loader and a trusted RTOS). The attesting device is in a | |||
| the device management client form a single binary. | lifecycle state Section 3.3.1 of SECURED. The attestation has been | |||
| requested from a client residing in the SPE: | ||||
| EC key using curve P-256 with: | ||||
| * x: | ||||
| 0xdcf0d0f4bcd5e26a54ee36cad660d283d12abc5f7307de58689e77cd60452e75 | ||||
| * y: | ||||
| 0x8cbadb5fe9f89a7107e5a2e8ea44ec1b09b7da2a1a82a0252a4c1c26ee1ed7cf | ||||
| * d: | ||||
| 0xc74670bcb7e85b3803efb428940492e73e3fe9d4f7b5a8ad5e480cbdbcb554c2 | ||||
| Key using COSE format (base64-encoded): | ||||
| pSJYIIy621/p+JpxB+Wi6OpE7BsJt9oqGoKgJSpMHCbuHtfPI1ggx0ZwvLfoWzgD77Q | { | |||
| olASS5z4/6dT3taitXkgMvby1VMIBAiFYINzw0PS81eJqVO42ytZg0oPRKrxfcwfeWG | / psa-profile / -75000: "PSA_IOT_PROFILE_1", | |||
| ied81gRS51IAE= | / psa-client-id / -75001: 1, | |||
| / psa-lifecycle / -75002: 12288, | ||||
| / psa-implementation-id / -75003: h'50515253545556575051 | ||||
| 52535455565750515253545556575051525354555657', | ||||
| / psa-boot-seed / -75004: h'DEADBEEFDEADBEEFDEAD | ||||
| BEEFDEADBEEFDEADBEEFDEADBEEFDEADBEEFDEADBEEF', | ||||
| / psa-certification-reference / -75005: "1234567890123", | ||||
| / psa-software-components / -75006: [ | ||||
| { | ||||
| / measurement type / 1: "BL", | ||||
| / measurement value / 2: h'0001020400010204000102040001020 | ||||
| 400010204000102040001020400010204', | ||||
| / signer ID / 5: h'519200FF519200FF519200FF519200F | ||||
| F519200FF519200FF519200FF519200FF' | ||||
| }, | ||||
| { | ||||
| / measurement type / 1: "PRoT", | ||||
| / measurement value / 2: h'0506070805060708050607080506070 | ||||
| 805060708050607080506070805060708', | ||||
| / signer ID / 5: h'519200FF519200FF519200FF519200F | ||||
| F519200FF519200FF519200FF519200FF' | ||||
| } | ||||
| ], | ||||
| / psa-nonce / -75008: h'00010203000102030001020300010203 | ||||
| 00010203000102030001020300010203', | ||||
| / psa-instance-id / -75009: h'01A0A1A2A3A0A1A2A3A0A1A2A3A0A1A2 | ||||
| A3A0A1A2A3A0A1A2A3A0A1A2A3A0A1A2A3', | ||||
| / psa-verification-service-indicator / -75010: "https://psa-ve | ||||
| rifier.org" | ||||
| } | ||||
| Example of EAT token (base64-encoded): | The JWK representation of the IAK used for creating the COSE Sign1 | |||
| signature over the PSA token is: | ||||
| 0oRDoQEmoFkCIqk6AAEk+1ggAAECAwQFBgcICQoLDA0ODxAREhMUFRYXGBkaGxwdHh8 | { | |||
| 6AAEk+lggAAECAwQFBgcICQoLDA0ODxAREhMUFRYXGBkaGxwdHh86AAEk/YSkAlggAA | "kty": "EC", | |||
| ECAwQFBgcICQoLDA0ODxAREhMUFRYXGBkaGxwdHh8EZTMuMS40BVggAAECAwQFBgcIC | "crv": "P-256", | |||
| QoLDA0ODxAREhMUFRYXGBkaGxwdHh8BYkJMpAJYIAABAgMEBQYHCAkKCwwNDg8QERIT | "x": "MKBCTNIcKUSDii11ySs3526iDZ8AiTo7Tu6KPAqv7D4", | |||
| FBUWFxgZGhscHR4fBGMxLjEFWCAAAQIDBAUGBwgJCgsMDQ4PEBESExQVFhcYGRobHB0 | "y": "4Etl6SRW2YiLUrN5vfvVHuhp7x8PxltmWWlbbM4IFyM", | |||
| eHwFkUFJvVKQCWCAAAQIDBAUGBwgJCgsMDQ4PEBESExQVFhcYGRobHB0eHwRjMS4wBV | "d": "870MB6gfuTJ4HtUnUvYMyJpr5eUZNP4Bk43bVdj3eAE", | |||
| ggAAECAwQFBgcICQoLDA0ODxAREhMUFRYXGBkaGxwdHh8BZEFSb1SkAlggAAECAwQFB | "use": "enc", | |||
| gcICQoLDA0ODxAREhMUFRYXGBkaGxwdHh8EYzIuMgVYIAABAgMEBQYHCAkKCwwNDg8Q | "kid": "1" | |||
| ERITFBUWFxgZGhscHR4fAWNBcHA6AAEk+RkwADoAAST/WCAAAQIDBAUGBwgJCgsMDQ4 | } | |||
| PEBESExQVFhcYGRobHB0eHzoAASUBbHBzYV92ZXJpZmllcjoAAST4IDoAASUAWCEBAA | ||||
| ECAwQFBgcICQoLDA0ODxAREhMUFRYXGBkaGxwdHh86AAEk93FQU0FfSW9UX1BST0ZJT | ||||
| EVfMVhAWIYFCO5+jMSOuoctu11pSlQrEyKtDVECPBlw30KfBlAcaDqVEIoMztCm6A4J | ||||
| ZvIr1j0cAFaXShG6My14d4f7Tw== | ||||
| Same token using extended CBOR diagnostic format: | The resulting COSE object is: | |||
| 18( | 18( | |||
| [ | [ | |||
| / protected / h'a10126' / { | / protected / h'A10126', | |||
| \ alg \ 1: -7 \ ECDSA 256 \ | / unprotected / {}, | |||
| } / , | / payload / h'AA3A000124F7715053415F494F545F50524F46494C | |||
| / unprotected / {}, | 455F313A000124F8013A000124F91930003A000124FA58205051525354555657 | |||
| / payload / h'a93a000124fb5820000102030405060708090a0b0c0d0e0f10111 | 5051525354555657505152535455565750515253545556573A000124FB5820DE | |||
| 2131415161718191a1b1c1d1e1f3a000124fa5820000102030405060708090a0b0c | ADBEEFDEADBEEFDEADBEEFDEADBEEFDEADBEEFDEADBEEFDEADBEEFDEADBEEF3A | |||
| 0d0e0f101112131415161718191a1b1c1d1e1f3a000124fd84a4025820000102030 | 000124FC6D313233343536373839303132333A000124FD82A30162424C025820 | |||
| 405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f0465332e312e | 0001020400010204000102040001020400010204000102040001020400010204 | |||
| 34055820000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1 | 055820519200FF519200FF519200FF519200FF519200FF519200FF519200FF51 | |||
| d1e1f0162424ca4025820000102030405060708090a0b0c0d0e0f10111213141516 | 9200FFA3016450526F5402582005060708050607080506070805060708050607 | |||
| 1718191a1b1c1d1e1f0463312e31055820000102030405060708090a0b0c0d0e0f1 | 08050607080506070805060708055820519200FF519200FF519200FF519200FF | |||
| 01112131415161718191a1b1c1d1e1f016450526f54a40258200001020304050607 | 519200FF519200FF519200FF519200FF3A000124FF5820000102030001020300 | |||
| 08090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f0463312e30055820000 | 01020300010203000102030001020300010203000102033A00012500582101A0 | |||
| 102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f016441 | A1A2A3A0A1A2A3A0A1A2A3A0A1A2A3A0A1A2A3A0A1A2A3A0A1A2A3A0A1A2A33A | |||
| 526f54a4025820000102030405060708090a0b0c0d0e0f101112131415161718191 | 00012501781868747470733A2F2F7073612D76657269666965722E6F7267', | |||
| a1b1c1d1e1f0463322e32055820000102030405060708090a0b0c0d0e0f10111213 | / signature / h'7C0FA38F80E5EA2A5C710A4BB37ABE63B26B25F17D | |||
| 1415161718191a1b1c1d1e1f01634170703a000124f91930003a000124ff5820000 | B6BE9489587F9B3F8FEB80E0E410D8CDAAFAE5588024CB3E18D60C1F96CED9E0 | |||
| 102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f3a0001 | 6743824614019E99BF13FE' | |||
| 25016c7073615f76657269666965723a000124f8203a00012500582101000102030 | ||||
| 405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f3a000124f771 | ||||
| 5053415f496f545f50524f46494c455f | ||||
| 31' / { | ||||
| / arm_psa_boot_seed / -75004: h'000102030405060708090a0b0c0d0e0f | ||||
| 101112131415161718191a1b1c1d1e1f', | ||||
| / arm_psa_implementation_id / -75003: h'000102030405060708090a0b | ||||
| 0c0d0e0f101112131415161718191a1b1c1d1e1f', | ||||
| / arm_psa_sw_components / -75006: [ | ||||
| { | ||||
| / measurement / 2: h'000102030405060708090a0b0c0d0e0f1011 | ||||
| 12131415161718191a1b1c1d1e1f', | ||||
| / version / 4: "3.1.4", | ||||
| / signerID / 5: h'000102030405060708090a0b0c0d0e0f1011121 | ||||
| 31415161718191a1b1c1d1e1f', | ||||
| / type / 1: "BL" | ||||
| }, | ||||
| { | ||||
| / measurement / 2: h'000102030405060708090a0b0c0d0e0f1011 | ||||
| 12131415161718191a1b1c1d1e1f', | ||||
| / version / 4: "1.1", | ||||
| / signerID / 5: h'000102030405060708090a0b0c0d0e0f1011121 | ||||
| 31415161718191a1b1c1d1e1f', | ||||
| / type / 1: "PRoT" | ||||
| }, | ||||
| { | ||||
| / measurement / 2: h'000102030405060708090a0b0c0d0e0f1011 | ||||
| 12131415161718191a1b1c1d1e1f', | ||||
| / version / 4: "1.0", | ||||
| / signerID / 5: h'000102030405060708090a0b0c0d0e0f1011121 | ||||
| 31415161718191a1b1c1d1e1f', | ||||
| / type / 1: "ARoT" | ||||
| }, | ||||
| { | ||||
| / measurement / 2: h'000102030405060708090a0b0c0d0e0f1011 | ||||
| 12131415161718191a1b1c1d1e1f', | ||||
| / version / 4: "2.2", | ||||
| / signerID / 5: h'000102030405060708090a0b0c0d0e0f1011121 | ||||
| 31415161718191a1b1c1d1e1f', | ||||
| / type / 1: "App" | ||||
| } | ||||
| ], | ||||
| / arm_psa_security_lifecycle / -75002: 12288 / SECURED /, | ||||
| / arm_psa_nonce / -75008: h'000102030405060708090a0b0c0d0e0f101 | ||||
| 112131415161718191a1b1c1d1e1f', | ||||
| / arm_psa_origination / -75010: "psa_verifier", | ||||
| / arm_psa_partition_id / -75001: -1, | ||||
| / arm_psa_UEID / -75009: h'01000102030405060708090a0b0c0d0e0f10 | ||||
| 1112131415161718191a1b1c1d1e1f', | ||||
| / arm_psa_profile_id / -75000: "PSA_IoT_PROFILE_1" | ||||
| }), | ||||
| } / , | ||||
| / signature / h'58860508ee7e8cc48eba872dbb5d694a542b1322ad0d51023c1 | ||||
| 970df429f06501c683a95108a0cced0a6e80e0966f22bd63d1c0056974a11ba332d | ||||
| 787787fb4f' | ||||
| ] | ] | |||
| ) | ) | |||
| Contributors | Contributors | |||
| We would like to thank the following colleagues for their | We would like to thank the following colleagues for their | |||
| contributions: | contributions: | |||
| * Laurence Lundblade | * Laurence Lundblade | |||
| Security Theory LLC | Security Theory LLC | |||
| End of changes. 70 change blocks. | ||||
| 215 lines changed or deleted | 493 lines changed or added | |||
This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ | ||||